Roundcube Stored XSS (CVE-2023-5631, CVE-2023-43770)
Summary
Stored XSS vulnerabilities affect Roundcube versions 1.6.3 and older (CVE-2023-5631, CVE-2023-43770). Roundcube is a webmail service offered within cPanel & WHM.
Security Rating
The National Vulnerability Database (NIST) has given the following severity ratings to these CVEs:
CVE-2023-43770 – MEDIUM
CVE-2023-5631 – MEDIUM
Description
Roundcube before 1.4.15, 1.5.x before 1.5.5, and 1.6.x before 1.6.4 allows stored XSS via an HTML e-mail message with a crafted SVG document because of rcube_washtml.php behavior. This could allow a remote attacker to load arbitrary JavaScript code (CVE-2023-5631).
Roundcube before 1.4.14, 1.5.x before 1.5.4, and 1.6.x before 1.6.3 allows XSS via text/plain e-mail messages with crafted links because of rcube_string_replacer.php behavior (CVE-2023-43770).
Solution
To resolve and work around the issue on Linux systems, cPanel has issued new Roundcube RPMs. Server Owners are strongly urged to upgrade to the following cPanel & WHM versions:
11.110.0.14
11.114.0.10
11.116.0.2
Verify the new Roundcube RPMs were installed:
RHEL/RPM-based Systems
# rpm -q –changelog cpanel-roundcubemail | grep -E ‘CVE-2023-43770|CVE-2023-5631’
– Add patch for CVE-2023-43770
– Add patch for CVE-2023-5631
Ubuntu/DEB-based Systems
# zgrep -E ‘CVE-2023-43770|CVE-2023-5631’ /usr/share/doc/cpanelroundcubemail/changelog.Debian.gz
* Add patch for CVE-2023-43770
* Add patch for CVE-2023-5631
FAQ
This notification covers CVE-2023-5631 and CVE-2023-43770.
References
CPANEL-43459 – CVE-2023-5631 Roundcube XSS vulnerability
Official Record CVE-2023-5631
Official Record CVE-2023-43770
Debian Bug Report for CVE-2023-5631
Debian Bug Report for CVE-2023-43770